Friday, May 19, 2017

KDE trickery

I published my writeup about CVE-2017-8422 and CVE-2017-8849,including the PoC for smb4k.Note, that this helper is most likely not installed bydefault on KDE systems. However, other helpers which areinstalled by default are affected too, such as kcm_systemd whichcould be leveraged to overwrite arbitrary files.The most complicated thing about the PoC was to setupa proper Qt/KDE 4/5 build environment; so I decided tojust use dbus-send with a binary blob instead, ratherthan creating my own QVariantMap.